Nowhere To Hide From Internet Risks

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

In a shocking article written by a person who can only be called a computer superuser, he explains why Internet security has finally become a myth

First off, most of us commit fundamental mistakes with passwords. Some people even use "password" or "123456" as their password. This means the bad guys hardly even have to guess. They'll try those first and be correct often enough to make it worth their while.

We're told passwords need to be long and random and include upper- and lower-case letters, numbers, and even punctuation to be safe, but with the processing power available using today's personal computers, cracking even elaborate passwords is possible.

And even where a password is long and effective at thwarting even automated guessing, the bad guys can simply get on the phone and trick a customer service person into giving it up. All they need is one or two facts about you. Sometimes the bad guys bluff their way into an account with no information at all! They change the password and then rummage around for information they can use to bluff their way in more easily to some of your other accounts.

One mistake many of us make (and sometimes are forced to make) is to log into some site using our Facebook or Twitter login. This linking of accounts has made it much easier for the baddies to take over or modify to their benefit everything you value online, obtaining credit card numbers, your bank account login and pin, If they are pranksters, they could log into your Facebook account and leave offensive racist or sexist posts.

Back to passwords for a sec. The usual advice was not to reuse passwords on multiple sites and to make them long and hard to guess. They also told us not to write them down. I'm reminded of that poster you often see in print shops: "You want it good and cheap and fast? Pick two and call me back." Even one long and elaborate password would be hard to recall without writing it down, but most of us have at least a half dozen sites requiring passwords. It's become impossible to follow the best password advice.

But what about fingerprint or iris scanning? They have a big problem. There are ways to copy and use them. If a crook or prankster figures out how to duplicate your fingerprint or iris pattern, you're screwed. At least you can change a password.

Even if all that stuff worked, there are so many ways to go around the front end straight to back end of a computer system. A baddie can install software to record information over a period of time that could be short or long and then use that information to the detriment of one or hundreds of thousands of people. For example, it could collect credit card numbers given to an online merchant and then sell them to the highest bidder or, if he's a prankster, dump them on any of the sites where password trading goes on.

You can find out more about this topic by pursuing the link following the italicized paragraphs at the top.

In a shocking article written by a person who can only be called a computer superuser, he explains why Internet security has finally become a myth.

I don't know much about Mat Honan's credentials. None are posted on Wired that I can find. I doubt a doubt any old school hackers would call him a super anything, judging by on his spotty usage of terminology and incorrect characterization of the nature of the attack.

The password wasn't the weak link in his security profile. The attacker didn't guess the password or exploit a software vulnerability. This was a social engineering attack; call and trick the service provider into lowering his defenses. The rest was a matter of Honan reusing passwords and not backing up his data: rookie mistakes.

Social Engineering isn't a new approach, either. Kevin Mitnick compromised or bypassed most security systems starting in 1979 using this approach: call the key master, deliver a sob story, and ask for the key. (If you're curious, read Ghost in the Wires, in which Mitnick explains his techniques.)

We're told passwords need to be long and random and include upper- and lower-case letters, numbers, and even punctuation to be safe, but with the processing power available using today's personal computers, cracking even elaborate passwords is possible.

Brute force attacks like this one are extremely rare and even more rarely effective against elaborate passwords. Good security systems impose a waiting period of several minutes between login attempts after a certain number of failed attempts (3 to 7 usually). This foils the speed advantage of the attacking system. For example, if an average of a million guesses are required-- a low estimate-- then a 3 minute waiting period between each guess means waiting six years.

And even where a password is long and effective at thwarting even automated guessing, the bad guys can simply get on the phone and trick a customer service person into giving it up. All they need is one or two facts about you.

This is the weakest link in any security system or policy: human beings. There are ways you can mitigate this as well but it'll take some explanation. Post your interest here if you'd like me to elaborate.

One mistake many of us make (and sometimes are forced to make) is to log into some site using our Facebook or Twitter login.

Nobody can force you to make a mistake. If the site has questionable security (such as forcing a link between sensitive accounts) then don't use it. I don't use Facebook or Twitter, and never used MySpace, due in part to concerns over security and privacy.

Even one long and elaborate password would be hard to recall without writing it down, but most of us have at least a half dozen sites requiring passwords. It's become impossible to follow the best password advice.

I developed a password generation technique and wrote a paper about it in grad school. The method generates a strong password that is unique to each system you use. Best of all, the passwords are impossible to forget because you don't know them yourself. You only know how to reproduce them.

But what about fingerprint or iris scanning? They have a big problem. There are ways to copy and use them. If a crook or prankster figures out how to duplicate your fingerprint or iris pattern, you're screwed. At least you can change a password.

This is part of the reason I prefer passwords. A photograph of a fingerprint can fool some biometric security systems. One team of office workers got around this requirement by creating the initial fingerprint impression using a gummi bear (for dealing with the owner of the actual fingerprint going on vacations).

A baddie can install software to record information over a period of time that could be short or long

This is true mostly of your local system rather than remote hosts, although it does happen to the latter occasionally. (If you're using Windows instead of a Linux or Unix distro you might as well hand over your password now.) Again, you can mitigate the damage by protecting your private information; back up your information, don't use your real name and information online (unless you absolutely must do so to complete a purchase), don't link more than 1 or 2 accounts, and avoid storing credit card information on merchant sites (most give you the option to opt out).

You'll never be 100% secure online, but you can take steps to make yourself a harder target, and motivate an attacker to move to a softer target instead.

I developed a password generation technique and wrote a paper about it in grad school. The method generates a strong password that is unique to each system you use. Best of all, the passwords are impossible to forget because you don't know them yourself. You only know how to reproduce them.

GM I'd like to know how this works. Creating passwords is one of those things that taxes my creative imagination and a necessary evil.

If you forget which method you used to make the password for a given site, try all three. Most places allow at least 3 guesses before you're locked out so you'll hit it before then. Note also that you could invent and safely write down a personal notation that represents your password generation method: you're the only person on earth who knows what it means.

- - -

Using this method you can generate literally thousands of very strong and unique passwords. More importantly, it's impossible to forget a password because most of the time you have no idea what the actual password is anyway. You only know how to type it.

Nice, would love to see some code for it. Another way I saw a few months back on Hacker News was to take a password, append a few letters from the name of the site or service you want the password for, like a salt, and hash it.

In the future, effective passwords will require a mix of upper- and lower-case letters, numbers, punctuation, and at least one each of characters from Sanskrit, Hebrew, Arabic, and Cyrillic alphabets combined with a scrotum or vulva scan and the recitation of Lincoln's Gettysburg Address in phonetically correct reverse order.